Two Canadian banks got hacked: 90,000 customer’s information has been stolen

Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce’s Simplii Financial (CIBC) reported about a possible data breach. About 90,000 customer’s data has been stolen, and hackers are asking each organization to pay $1 million.

Both of the targets rank in the top five largest banks in Canada, so the damage is huge. According to the latest information, hackers stole less than 50,000 BMO’s customer’s details and 40,000 CIBC’s client's data.[1]

The investigation of the data breach has been started. Banks also took all necessary measures to protect their clients. However, critics tell that organizations should have thought about customer’s protection earlier.

BMO Financial Group reported about Bank of Montreal data breach

Bank of Montreal reported that on Sunday, May 27, cyber criminals contacted the bank and told about possibly stolen customer’s personal and financial information:[2]

<…> fraudsters contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers. <…> We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off. We have notified and are working with relevant authorities as we continue to assess the situation.

Representatives of the organization believe that this cyber attack was arranged from outside the country. However, detailed information about a data breach show up only after the investigation is over.

Simplii Financial was attacked on Sunday too

CIBC also reported about 40,0000 of Simplii’s customer’s data breach held on Sunday. In the official company’s statement, the Senior Vice-President of Simplii Financial Michael Martin told about taken precautions to protect their clients.

However, the bank also suggested customers take extra steps to protect themselves, such as set strong and complex passwords, and monitor their accounts.[3] In case of suspicious activities, clients should contact the bank immediately and get a refund:

Clients who notice suspicious activity are encouraged to contact Simplii Financial. If a client is a victim of fraud because of this issue, we will return 100% of the money lost from the affected bank account.[Source: Simplii Financial]

Currently, there’s no information that the main Canadian Imperial Bank of Commerce was hacked. Hence, only customers of Simplii Financial should be cautious.

Hackers contacted the banks and asked to pay the ransom

On Sunday both banks received an email from the hackers claiming about stolen customer’s information. The email included the information how they managed to commit a crime and asked each organization to pay $1 million.

It is said that attacker sussed common mathematical algorithm to confirm specific numeric sequences for a credit card or social insurance numbers. Then they used this information to reset customer’s passwords.[4]

Banks were also asked to pay the ransom in order to avoid stolen information leakage. Hackers were quite greedy and asked both Bank of Montreal and Canadian Imperial Bank of Commerce’s Simplii Financial to pay for one million dollars within one daytime. The payment should be made in Ripple cryptocurrency.[5]

It seems that none of the banks agreed to follow hackers’ blackmailing. Instead of that, they are working with cyber security specialists and trying to help victims of the data breach.

About the author

Lucia Danes
- Security researcher

Lucia Danes is the news editor at UGetFix. She is always on the move because the eager for knowledge makes her travel around the globe and attend InfoSec events and conferences.